The OpenSSL Project released a critical patch for a new flaw created as a result of an update to the cryptography library.
OpenSSL released a patch for the new flaw on Monday. The critical vulnerability was disclosed by Google information security engineer Robert Święcki.
“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved,” the security advisory stated. “Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location.”A recent report highlighted the difficulties faced by enterprises patching open source software and noted a rising number of attacks that were the result of software vendors being slow to update open source components in commercial software.